Common keytab file for all the application servers - Is it possible

Jeffrey Altman jaltman2 at nyc.rr.com
Mon Jan 2 11:20:35 EST 2006


sandypossible at gmail.com wrote:

> I have a question. If I assume that there are some 100 devices which
> are acting as application servers and they want to use windows domain
> controller as KDC, then can I use same keytab file on all the devices ?
> I will have common entry for all the devices in the domain controller
> and generate a keytab file using ktpass. I will use the same keytab
> file. Will this work ?  Will there be any issues in connection
> establishment? Is this correct way ?

Assuming that you are planning on distributing the embedded device
to 100 different locations and that all of the devices are not going
to be under the control of the same entities, using the same service
principal and keys for all of the devices would be a poor security
decision.   If one of the devices was compromised and its keytab
was stolen, then the attacker could pretend to be any of the devices
that shared that principal name and keytab.

As long as the devices are considered unique entities from the
perspective of the client connecting to them, they should be assigned
unique service principals.

Jeffrey Altman



More information about the Kerberos mailing list